The importance of developing and maintaining a robust data privacy and security program cannot be overstated, particularly given the increasing sophistication of bad actors, the growing privacy concerns of consumers, and the proliferation of data privacy laws throughout the country and around the world. Add to this landscape the commercial, reputational and operational harms to companies that experience a data breach or other security incident, and it becomes clear that all companies, no matter their size, should invest time and resources into developing a robust data privacy and security program. Among other steps that companies should take to safeguard personal information, protect against intrusions, and signal to consumers and regulators that they take privacy concerns seriously, companies should:

Develop a Robust, Customized Security Program

• Every company should have a written information security program (“WISP”) that describes how the company protects the confidentiality and security of the personal information it collects, uses and stores. To do so, a company needs a clear idea of the types of personal information it possesses; how it collects, creates, uses, shares, stores and sells personal information; and what laws and regulations apply. Conducting a data mapping exercise or engaging a third party to conduct a risk assessment can help ensure that a company’s WISP is appropriate in scope.
• Once a WISP is in place, a company should take active steps, such as trainings and regular communications, to ensure that its employees are aware of the company’s security practices and measures for safeguarding personal information. For instance, it is important that employees are prepared to implement incident response procedures in the event of a suspected or actual security incident.
• A WISP should also be regularly revisited and updated as appropriate. Performing regular audits can help a company identify shortcomings in its program and inform WISP revisions.

Develop Data Privacy Policies

Companies should develop data privacy policies suitable for the structure of their business and the nature of the information they collect, such as an employee privacy policy (noting how the company collects, stores and shares personal information of its employees) and/or a website privacy policy (noting how the company’s website collects, stores and shares personal information of visitors to its website). These policies should be shared/posted as appropriate.

Enhance Data Security

Companies should implement tools and resources designed to protect against intrusions, like multifactor authentication, regular employee training (including training that incorporates mock phishing exercises), and timely computer patching and software updates. Companies should also make investments in hardware and software and, in particular, replace any unsupported software, which can leave companies more vulnerable to security incidents.

Vet and Document Third Party Arrangements

Companies should carefully vet any third parties with which they share or sell personal information and should enter into written contracts with each of these third parties. These contracts should address the scope of the parties’ arrangement, confidentiality, system security requirements, notice obligations and other actions to take in the event of a security breach, and the deletion or return of personal information, among other things. These contracts should enable the company to enforce against the third party any privacy or data security commitments that the company makes to its customers.

Evaluate and Ensure Compliance with Applicable Law

Due to the current patchwork of state, federal, and international privacy laws, it is critical to know which laws are applicable. Otherwise, a company risks having an inadequate data privacy program or being vulnerable to litigation or an enforcement action.

Depending on its industry, the location of its customers and employees, and the location of its operations (among other factors), a company could be subject to the data privacy and breach notification laws of multiple states, industry-specific laws (like HIPAA), the EU General Data Protection Regulation (“GDPR”) (applicable to businesses that processes the personal information of people in the EU), and/or industry standards like the Payment Card Industry Data Security Standard (“PCI-DSS”) (applicable to businesses that accept credit or debit cards) or mobile carrier requirements (applicable to text messaging marketing campaigns), to name only a few.

Because the laws in this space are ever-evolving, companies must keep abreast of revisions to existing laws and the introduction of new laws that are applicable to their operations.  Compliance requirements should also always be revisited prior to making any significant investment in technology or launching any new product or service. Companies that lack the resources to hire an employee dedicated to privacy and data security matters can task certain employees with keeping current on developments or engage a consultant, attorney or other advisor that specializes in this area to assist.

Please call your Hinckley Allen lawyer if you would like our assistance with your privacy policy, data security, vendor contracts, or other privacy or data security needs.

Follow Hinckley Allen on LinkedIn and Twitter for the latest news and updates.